1 |
On Wed, 30 Dec 2015 07:34:52 +1000 Hans wrote: |
2 |
> Hi, |
3 |
> |
4 |
> Is it possible to fully encrypt a Gentoo system as can be done with |
5 |
> Fedora, Suse, Arch Linux, Debian and Ubunto without using a unencrypted |
6 |
> USB boot stick or unencrypted /boot partition? |
7 |
> |
8 |
> If yes, where can I find instructions that really work on a BIOS only |
9 |
> box without UEFI, EFI, systemd using EXT4 file system? |
10 |
|
11 |
The easiest way is to use ATA password for your drive (go into |
12 |
BIOS menu for that or use some live image capable of that, e.g. |
13 |
any Linux with hdparm or mhdd). |
14 |
|
15 |
If you want to use Linux encryption (e.g. LUKS), you have to have |
16 |
some piece of data unencrypted, because bios/uefi needs to load some |
17 |
code which will be able to run kernel and decrypt your drive. This |
18 |
peace may be kernel + initrd on efi partition or boot partition, usb |
19 |
stick and so on. Of course it is possible to boot from external |
20 |
media (PXE, CD/DVD, USB stick) and have whole HDD/SSD encrypted. |
21 |
|
22 |
Though I see little point in whole / encryption. What is the |
23 |
point to encrypt /usr, /lib, /bin, /sbin? Just do this |
24 |
to /home, /var and other sensitive pieces. |
25 |
|
26 |
Best regards, |
27 |
Andrew Savchenko |